Gum, PackageKit, Firefox, and more updates for Fedora

Fedora Linux 9330 Published by

Fedora has released a batch of critical security patches across versions 42, 43, and 44 to address multiple high-risk vulnerabilities in widely used system software. These updates target essential packages like Python, OpenSSH, OpenSSL, Firefox, and PackageKit by fixing flaws that could allow remote code execution or privilege escalation. Administrators should apply these fixes immediately since the vulnerabilities span scripting attacks, memory corruption issues, and dangerous race conditions that compromise system integrity. You can install the patches using the standard dnf upgrade command along with each advisory identifier to keep your Fedora systems secure.

Fedora 44 Update: gum-0.17.0-3.fc44
Fedora 42 Update: PackageKit-1.3.4-3.fc42
Fedora 42 Update: firefox-150.0-1.fc42
Fedora 42 Update: nss-3.122.1-1.fc42
Fedora 42 Update: python3.14-3.14.4-2.fc42
Fedora 42 Update: mingw-python3-3.11.15-4.fc42
Fedora 42 Update: xrdp-0.10.6-1.fc42
Fedora 42 Update: libcoap-4.3.5b-1.fc42
Fedora 42 Update: gum-0.16.1-2.fc42
Fedora 42 Update: flatpak-1.16.6-1.fc42
Fedora 42 Update: python3-docs-3.13.13-1.fc42
Fedora 42 Update: cockpit-357-2.fc42
Fedora 42 Update: python3.13-3.13.13-1.fc42
Fedora 43 Update: chromium-147.0.7727.116-1.fc43
Fedora 43 Update: vim-9.2.390-1.fc43
Fedora 43 Update: openvpn-2.6.20-1.fc43
Fedora 43 Update: PackageKit-1.3.4-3.fc43
Fedora 43 Update: openssl-3.5.4-3.fc43
Fedora 43 Update: ngtcp2-1.22.1-1.fc43
Fedora 43 Update: openssh-10.0p1-9.fc43
Fedora 43 Update: mingw-python3-3.11.15-4.fc43
Fedora 43 Update: xrdp-0.10.6-1.fc43
Fedora 43 Update: python3.11-3.11.15-4.fc43
Fedora 43 Update: libcoap-4.3.5b-1.fc43




[SECURITY] Fedora 44 Update: gum-0.17.0-3.fc44


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-10cf6ce616
2026-04-28 01:29:45.334582+00:00
--------------------------------------------------------------------------------

Name : gum
Product : Fedora 44
Version : 0.17.0
Release : 3.fc44
URL : https://github.com/charmbracelet/gum
Summary : Tool for glamorous shell scripts
Description :
A tool for glamorous shell scripts. Leverage the power of Bubbles and Lip Gloss
in your scripts and aliases without writing any Go code!

--------------------------------------------------------------------------------
Update Information:

Update vendored goldmark to 1.7.17 to resolve CVE-2026-5160.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 17 2026 Carl George [carlwgeorge@fedoraproject.org] - 0.17.0-3
- Update vendored goldmark to 1.7.17 to resolve CVE-2026-5160
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2458994 - CVE-2026-5160 gum: github.com/yuin/goldmark/renderer/html: Cross-site Scripting due to improper URL validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458994
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-10cf6ce616' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: PackageKit-1.3.4-3.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-41926fe792
2026-04-28 01:11:18.587435+00:00
--------------------------------------------------------------------------------

Name : PackageKit
Product : Fedora 42
Version : 1.3.4
Release : 3.fc42
URL : http://www.freedesktop.org/software/PackageKit/
Summary : Package management service
Description :
PackageKit is a D-Bus abstraction layer that allows the session user
to manage packages in a secure way using a cross-distro,
cross-architecture API.

--------------------------------------------------------------------------------
Update Information:

Backport fix for race condition leading to root compromise (GHSA-f55j-vvr9-69xv)
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 22 2026 Neal Gompa [ngompa@fedoraproject.org] - 1.3.4-3
- Actually apply patch for security fix
* Wed Apr 22 2026 Neal Gompa [ngompa@fedoraproject.org] - 1.3.4-2
- Backport fix for GHSA-f55j-vvr9-69xv
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2460579 - Local Privilege escalation: Run code as root due to race condition in PackageKit
https://bugzilla.redhat.com/show_bug.cgi?id=2460579
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-41926fe792' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: firefox-150.0-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-69538c9f7e
2026-04-28 01:11:18.587432+00:00
--------------------------------------------------------------------------------

Name : firefox
Product : Fedora 42
Version : 150.0
Release : 1.fc42
URL : https://www.mozilla.org/firefox/
Summary : Mozilla Firefox Web browser
Description :
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

--------------------------------------------------------------------------------
Update Information:

Update NSS to 3.122.1
Update to Firefox 150.0
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 16 2026 Martin Stransky [stransky@redhat.com] - 150.0-1
- Update to latest upstream (150.0)
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-69538c9f7e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: nss-3.122.1-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-69538c9f7e
2026-04-28 01:11:18.587432+00:00
--------------------------------------------------------------------------------

Name : nss
Product : Fedora 42
Version : 3.122.1
Release : 1.fc42
URL : http://www.mozilla.org/projects/security/pki/nss/
Summary : Network Security Services
Description :
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Applications built with NSS can support SSL v2
and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
v3 certificates, and other security standards.

--------------------------------------------------------------------------------
Update Information:

Update NSS to 3.122.1
Update to Firefox 150.0
--------------------------------------------------------------------------------
ChangeLog:

* Mon Apr 20 2026 Frantisek Krenzelok [fkrenzel@redhat.com] - 3.122.1-1
- Update NSS to 3.122.1
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-69538c9f7e' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: python3.14-3.14.4-2.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-1fd21102d1
2026-04-28 01:11:18.587397+00:00
--------------------------------------------------------------------------------

Name : python3.14
Product : Fedora 42
Version : 3.14.4
Release : 2.fc42
URL : https://www.python.org/
Summary : Version 3.14 of the Python interpreter
Description :
Python 3.14 is an accessible, high-level, dynamically typed, interpreted
programming language, designed with an emphasis on code readability.
It includes an extensive standard library, and has a vast ecosystem of
third-party libraries.

The python3.14 package provides the "python3.14" executable: the reference
interpreter for the Python language, version 3.
The majority of its standard library is provided in the python3.14-libs package,
which should be installed automatically along with python3.14.
The remaining parts of the Python standard library are broken out into the
python3.14-tkinter and python3.14-test packages, which may need to be installed
separately.

Documentation for Python is provided in the python3.14-docs package.

Packages containing additional libraries for Python are generally named with
the "python3.14-" prefix.

--------------------------------------------------------------------------------
Update Information:

Security fixes for CVE-2026-1502, CVE-2026-4786, CVE-2026-5713, CVE-2026-6100
New minor version of the alternate Python interpreter
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 16 2026 Charalampos Stratakis [cstratak@redhat.com] - 3.14.4-2
- Security fixes for CVE-2026-1502, CVE-2026-4786, CVE-2026-5713, CVE-2026-6100
Resolves: rhbz#2457944, rhbz#2458224, rhbz#2458488, rhbz#2458016
* Wed Apr 8 2026 Karolina Surma [ksurma@redhat.com] - 3.14.4-1
- Update to Python 3.14.4
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2457944 - CVE-2026-1502 python3.14: Python: HTTP header injection via CR/LF in proxy tunnel headers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457944
[ 2 ] Bug #2458016 - CVE-2026-6100 python3.14: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458016
[ 3 ] Bug #2458224 - CVE-2026-4786 python3.14: Python: Arbitrary code execution via command injection in webbrowser.open() API [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458224
[ 4 ] Bug #2458488 - CVE-2026-5713 python3.14: Python: Information disclosure and arbitrary code execution via remote debugging with a malicious process. [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458488
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-1fd21102d1' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: mingw-python3-3.11.15-4.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-763e814afa
2026-04-28 01:11:18.587391+00:00
--------------------------------------------------------------------------------

Name : mingw-python3
Product : Fedora 42
Version : 3.11.15
Release : 4.fc42
URL : https://www.python.org/
Summary : MinGW Windows python3
Description :
MinGW Windows python3

--------------------------------------------------------------------------------
Update Information:

Backport fix for CVE-2026-4786.
Backport fixes for CVE-2026-6100, CVE-2026-3479, CVE-2026-1502
--------------------------------------------------------------------------------
ChangeLog:

* Sat Apr 18 2026 Sandro Mani [manisandro@gmail.com] - 3.11.15-4
- Backport fix for CVE-2026-4786
* Tue Apr 14 2026 Sandro Mani [manisandro@gmail.com] - 3.11.15-3
- Backport fixes for CVE-2026-6100, CVE-2026-3479, CVE-2026-1502
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2449254 - CVE-2026-3479 mingw-python3: Python pkgutil.get_data(): Path Traversal via improper resource argument validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449254
[ 2 ] Bug #2457939 - CVE-2026-1502 mingw-python3: Python: HTTP header injection via CR/LF in proxy tunnel headers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457939
[ 3 ] Bug #2458011 - CVE-2026-6100 mingw-python3: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458011
[ 4 ] Bug #2458219 - CVE-2026-4786 mingw-python3: Python: Arbitrary code execution via command injection in webbrowser.open() API [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458219
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-763e814afa' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: xrdp-0.10.6-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f04c228c78
2026-04-28 01:11:18.587386+00:00
--------------------------------------------------------------------------------

Name : xrdp
Product : Fedora 42
Version : 0.10.6
Release : 1.fc42
URL : http://www.xrdp.org/
Summary : Open source remote desktop protocol (RDP) server
Description :
xrdp provides a fully functional RDP server compatible with a wide range
of RDP clients, including FreeRDP and Microsoft RDP client.

--------------------------------------------------------------------------------
Update Information:

Security fixes
CVE-2026-32105
CVE-2026-32107
CVE-2026-32623
CVE-2026-32624
CVE-2026-33145
CVE-2026-33516
CVE-2026-33689
CVE-2026-35512
New features
Support for xorgxrdp bug fixes #249 and #342 (#3721)
Bug fixes
Honour pass_shell_as_env setting only if user sets a shell (#3725)
We no longer try to create a NULL authentication file when using VNC over UDS
(#3727)
Problems with the Brazilian ABNT2 keyboard mapping have been corrected (#3728
3736)
A 'file exists' error when installing xrdp over an existing installation has
been addressed (#3780)
--------------------------------------------------------------------------------
ChangeLog:

* Sat Apr 18 2026 Bojan Smojver [bojan@rexursive.com] - 1:0.10.6-1
- Update to 0.10.6
- CVE-2026-32105, CVE-2026-32107, CVE-2026-32623, CVE-2026-32624
- CVE-2026-33145, CVE-2026-33516, CVE-2026-33689, CVE-2026-35512
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2459298 - CVE-2026-32105 xrdp: xrdp: Data integrity compromised due to missing MAC signature verification in Classic RDP Security [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459298
[ 2 ] Bug #2459302 - CVE-2026-32107 xrdp: xrdp: Privilege Escalation via improper privilege management [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459302
[ 3 ] Bug #2459616 - CVE-2026-33145 xrdp: xrdp: Arbitrary Command Execution via unsafe handling of AlternateShell parameter [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459616
[ 4 ] Bug #2459618 - CVE-2026-32623 xrdp: xrdp NeutrinoRDP: Remote Code Execution or Denial of Service via heap-based buffer overflow in fragmented RDP data handling [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459618
[ 5 ] Bug #2459620 - CVE-2026-35512 xrdp: xrdp: Remote Code Execution via heap-based buffer overflow [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459620
[ 6 ] Bug #2459621 - CVE-2026-33516 xrdp: xrdp: Denial of Service and Information Disclosure via specially crafted RDP message [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459621
[ 7 ] Bug #2459623 - CVE-2026-33689 xrdp: xrdp: Denial of Service and Information Disclosure via Out-of-Bounds Read [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459623
[ 8 ] Bug #2459625 - CVE-2026-32624 xrdp: xrdp: Denial of Service via crafted username and domain name [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459625
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f04c228c78' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: libcoap-4.3.5b-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a8ee24f019
2026-04-28 01:11:18.587359+00:00
--------------------------------------------------------------------------------

Name : libcoap
Product : Fedora 42
Version : 4.3.5b
Release : 1.fc42
URL : https://libcoap.net/
Summary : C library implementation of CoAP
Description :
The Constrained Application Protocol (CoAP) is a specialized web transfer
protocol for use with constrained nodes and constrained networks in the Internet
of Things. The protocol is designed for machine-to-machine (M2M) applications
such as smart energy and building automation.

libcoap implements a lightweight application-protocol for devices with
constrained resources such as computing power, RF range, memory, bandwidth,
or network packet sizes. This protocol, CoAP, was standardized in the IETF
working group "CoRE" as RFC 7252.

--------------------------------------------------------------------------------
Update Information:

Update to 4.3.5b
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 17 2026 Peter Robinson [pbrobinson@gmail.com] - 4.3.5b-1
- Update to 4.3.5b
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 4.3.5a-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2459331 - CVE-2026-29013 libcoap: libcoap: Memory corruption and denial of service via crafted CoAP requests
https://bugzilla.redhat.com/show_bug.cgi?id=2459331
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a8ee24f019' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: gum-0.16.1-2.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-bebf3b0544
2026-04-28 01:11:18.587353+00:00
--------------------------------------------------------------------------------

Name : gum
Product : Fedora 42
Version : 0.16.1
Release : 2.fc42
URL : https://github.com/charmbracelet/gum
Summary : Tool for glamorous shell scripts
Description :
A tool for glamorous shell scripts. Leverage the power of Bubbles and Lip Gloss
in your scripts and aliases without writing any Go code!

--------------------------------------------------------------------------------
Update Information:

Rebuild with latest golang to resolve CVE-2025-47906.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 17 2026 Carl George [carlwgeorge@fedoraproject.org] - 0.16.1-2
- Rebuild with latest golang to resolve CVE-2025-47906 rhbz#2399503
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2399503 - CVE-2025-47906 gum: Unexpected paths returned from LookPath in os/exec [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2399503
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-bebf3b0544' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: flatpak-1.16.6-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2a3e305ac4
2026-04-28 01:11:18.587345+00:00
--------------------------------------------------------------------------------

Name : flatpak
Product : Fedora 42
Version : 1.16.6
Release : 1.fc42
URL : https://flatpak.org/
Summary : Application deployment framework for desktop apps
Description :
flatpak is a system for building, distributing and running sandboxed desktop
applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for
more information.

--------------------------------------------------------------------------------
Update Information:

Update to 1.16.6
Fixes for CVE-2026-34078, CVE-2026-34079, GHSA-2fxp-43j9-pwvc and
GHSA-89xm-3m96-w3jg
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 10 2026 Michael Catanzaro [mcatanzaro@redhat.com] - 1.16.6-1
- Update to 1.16.6
* Wed Apr 8 2026 David King [amigadave@amigadave.com] - 1.16.4-1
- Update to 1.16.4
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2456383 - CVE-2026-34078 flatpak: Flatpak: Arbitrary code execution via crafted symlinks in sandbox-expose options [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2456383
[ 2 ] Bug #2456394 - CVE-2026-34079 flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation [fedora-42]
https://bugzilla.redhat.com/show_bug.cgi?id=2456394
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2a3e305ac4' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: python3-docs-3.13.13-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-13c6899032
2026-04-28 01:11:18.587342+00:00
--------------------------------------------------------------------------------

Name : python3-docs
Product : Fedora 42
Version : 3.13.13
Release : 1.fc42
URL : https://www.python.org/
Summary : Documentation for the Python 3 programming language
Description :
The python3-docs package contains documentation on the Python 3
programming language and interpreter.

--------------------------------------------------------------------------------
Update Information:

Update to 3.13.13
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 8 2026 Tom???? Hrn??iar [thrnciar@redhat.com] - 3.13.13-1
- Update to 3.13.13
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2444706 - CVE-2026-2297 python3.13: CPython: Logging Bypass in Legacy .pyc File Handling [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2444706
[ 2 ] Bug #2448190 - CVE-2026-3644 python3.13: Incomplete control character validation in http.cookies [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2448190
[ 3 ] Bug #2448206 - CVE-2026-4224 python3.13: Stack overflow parsing XML with deeply nested DTD content models [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2448206
[ 4 ] Bug #2449258 - CVE-2026-3479 python3.13: Python pkgutil.get_data(): Path Traversal via improper resource argument validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449258
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-13c6899032' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 42 Update: cockpit-357-2.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-134819a61b
2026-04-28 01:11:18.587340+00:00
--------------------------------------------------------------------------------

Name : cockpit
Product : Fedora 42
Version : 357
Release : 2.fc42
URL : https://cockpit-project.org/
Summary : Web Console for Linux servers
Description :
The Cockpit Web Console enables users to administer GNU/Linux servers using a
web browser.

It offers network configuration, log inspection, diagnostic reports, SELinux
troubleshooting, interactive command-line sessions, and more.

--------------------------------------------------------------------------------
Update Information:

ws: be more explicit when handling hostnames on cli [CVE-2026-4631]
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 10 2026 Jelle van der Waa [jvanderw@redhat.com] - 357-2
- ws: be more explicit when handling hostnames on cli (CVE-2026-4631)
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-134819a61b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 42 Update: python3.13-3.13.13-1.fc42


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-13c6899032
2026-04-28 01:11:18.587342+00:00
--------------------------------------------------------------------------------

Name : python3.13
Product : Fedora 42
Version : 3.13.13
Release : 1.fc42
URL : https://www.python.org/
Summary : Version 3.13 of the Python interpreter
Description :
Python 3.13 is an accessible, high-level, dynamically typed, interpreted
programming language, designed with an emphasis on code readability.
It includes an extensive standard library, and has a vast ecosystem of
third-party libraries.

--------------------------------------------------------------------------------
Update Information:

Update to 3.13.13
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 8 2026 Tom???? Hrn??iar [thrnciar@redhat.com] - 3.13.13-1
- Update to 3.13.13
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2444706 - CVE-2026-2297 python3.13: CPython: Logging Bypass in Legacy .pyc File Handling [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2444706
[ 2 ] Bug #2448190 - CVE-2026-3644 python3.13: Incomplete control character validation in http.cookies [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2448190
[ 3 ] Bug #2448206 - CVE-2026-4224 python3.13: Stack overflow parsing XML with deeply nested DTD content models [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2448206
[ 4 ] Bug #2449258 - CVE-2026-3479 python3.13: Python pkgutil.get_data(): Path Traversal via improper resource argument validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449258
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-13c6899032' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: chromium-147.0.7727.116-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-3ca69d20ed
2026-04-28 00:55:52.209340+00:00
--------------------------------------------------------------------------------

Name : chromium
Product : Fedora 43
Version : 147.0.7727.116
Release : 1.fc43
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

--------------------------------------------------------------------------------
Update Information:

Update to 147.0.7727.116
* High CVE-2026-6919: Use after free in DevTools
* High CVE-2026-6920: Out of bounds read in GPU
* Medium CVE-2026-6921: Race in GPU
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 23 2026 Than Ngo [than@redhat.com] - 147.0.7727.116-1
- Update to 147.0.7727.116
* High CVE-2026-6919: Use after free in DevTools
* High CVE-2026-6920: Out of bounds read in GPU
* Medium CVE-2026-6921: Race in GPU
- Fix rhbz#2458171, unexpanded macros in manpage
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-3ca69d20ed' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: vim-9.2.390-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-755c51e6a0
2026-04-28 00:55:52.209338+00:00
--------------------------------------------------------------------------------

Name : vim
Product : Fedora 43
Version : 9.2.390
Release : 1.fc43
URL : https://www.vim.org/
Summary : The VIM editor
Description :
VIM (VIsual editor iMproved) is an updated and improved version of the
vi editor. Vi was the first real screen-based editor for UNIX, and is
still very popular. VIM improves on vi by adding new features:
multiple windows, multi-level undo, block highlighting and more.

--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2026-39881
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 24 2026 Zdenek Dohnal [zdohnal@redhat.com] - 2:9.2.390-1
- patchlevel 390
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2456722 - CVE-2026-39881 vim: Vim: Arbitrary code execution via command injection in NetBeans interface
https://bugzilla.redhat.com/show_bug.cgi?id=2456722
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-755c51e6a0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: openvpn-2.6.20-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-670067411c
2026-04-28 00:55:52.209330+00:00
--------------------------------------------------------------------------------

Name : openvpn
Product : Fedora 43
Version : 2.6.20
Release : 1.fc43
URL : https://community.openvpn.net/
Summary : A full-featured TLS VPN solution
Description :
OpenVPN is a robust and highly flexible tunneling application that uses all
of the encryption, authentication, and certification features of the
OpenSSL library to securely tunnel IP networks over a single UDP or TCP
port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
for compression.

--------------------------------------------------------------------------------
Update Information:

Update to upstream OpenVPN 2.6.20
CVE-2026-40215
CVE-2026-35058
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 23 2026 Frank Lichtenheld [frank@lichtenheld.com] - 2.6.20-1
- Update to upstream OpenVPN 2.6.20
- CVE-2026-40215
- CVE-2026-35058
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-670067411c' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: PackageKit-1.3.4-3.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-7463cd3c32
2026-04-28 00:55:52.209321+00:00
--------------------------------------------------------------------------------

Name : PackageKit
Product : Fedora 43
Version : 1.3.4
Release : 3.fc43
URL : http://www.freedesktop.org/software/PackageKit/
Summary : Package management service
Description :
PackageKit is a D-Bus abstraction layer that allows the session user
to manage packages in a secure way using a cross-distro,
cross-architecture API.

--------------------------------------------------------------------------------
Update Information:

Backport fix for race condition leading to root compromise (GHSA-f55j-vvr9-69xv)
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 22 2026 Neal Gompa [ngompa@fedoraproject.org] - 1.3.4-3
- Actually apply patch for security fix
* Wed Apr 22 2026 Neal Gompa [ngompa@fedoraproject.org] - 1.3.4-2
- Backport fix for GHSA-f55j-vvr9-69xv
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2460579 - Local Privilege escalation: Run code as root due to race condition in PackageKit
https://bugzilla.redhat.com/show_bug.cgi?id=2460579
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-7463cd3c32' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: openssl-3.5.4-3.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-47fffff581
2026-04-28 00:55:52.209315+00:00
--------------------------------------------------------------------------------

Name : openssl
Product : Fedora 43
Version : 3.5.4
Release : 3.fc43
URL : http://www.openssl.org/
Summary : Utilities from the general purpose cryptography library with TLS implementation
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.

--------------------------------------------------------------------------------
Update Information:

Backport security patches from OpenSSL 3.5.6
--------------------------------------------------------------------------------
ChangeLog:

* Mon Apr 20 2026 Pavol ??????ik [pzacik@redhat.com] - 1:3.5.4-3
- Backport security patches from OpenSSL 3.5.6
Resolves: CVE-2026-2673
Resolves: CVE-2026-28387
Resolves: CVE-2026-28388
Resolves: CVE-2026-28389
Resolves: CVE-2026-28390
Resolves: CVE-2026-31789
Resolves: CVE-2026-31790
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2447397 - CVE-2026-2673 openssl: OpenSSL TLS 1.3 server may choose unexpected key agreement group [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2447397
[ 2 ] Bug #2456467 - CVE-2026-28390 openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2456467
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-47fffff581' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: ngtcp2-1.22.1-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-a0f25484e9
2026-04-28 00:55:52.209310+00:00
--------------------------------------------------------------------------------

Name : ngtcp2
Product : Fedora 43
Version : 1.22.1
Release : 1.fc43
URL : https://github.com/ngtcp2/ngtcp2
Summary : Implementation of RFC 9000 QUIC protocol
Description :
"Call it TCP/2. One More Time."

ngtcp2 project is an effort to implement RFC9000 QUIC protocol.

--------------------------------------------------------------------------------
Update Information:

Update to 1.22.1 (rhbz#2452790)
Fixes
CVE-2026-40170
--------------------------------------------------------------------------------
ChangeLog:

* Mon Apr 20 2026 Petr Men????k [pemensik@redhat.com] - 1.22.1-1
- Update to 1.22.1 (rhbz#2452790)
- Fixes CVE-2026-40170
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2452790 - ngtcp2-1.22.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2452790
[ 2 ] Bug #2459283 - CVE-2026-40170 ngtcp2: ngtcp2: Denial of service via stack buffer overflow during QUIC handshake [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459283
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-a0f25484e9' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: openssh-10.0p1-9.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2cedc95af8
2026-04-28 00:55:52.209308+00:00
--------------------------------------------------------------------------------

Name : openssh
Product : Fedora 43
Version : 10.0p1
Release : 9.fc43
URL : http://www.openssh.com/portable.html
Summary : An open source implementation of SSH protocol version 2
Description :
SSH (Secure SHell) is a program for logging into and executing
commands on a remote machine. SSH is intended to replace rlogin and
rsh, and to provide secure encrypted communications between two
untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.

OpenSSH is OpenBSD's version of the last free version of SSH, bringing
it up to date in terms of security and features.

This package includes the core files necessary for both the OpenSSH
client and server. To make this package useful, you should also
install openssh-clients, openssh-server, or both.

--------------------------------------------------------------------------------
Update Information:

CVE-2026-35385: Fix privilege escalation via scp legacy protocol when not in
preserving file mode
CVE-2026-35388: Add connection multiplexing confirmation for proxy-mode
multiplexing sessions
CVE-2026-35387: Fix incomplete application of PubkeyAcceptedAlgorithms and
HostbasedAcceptedAlgorithms with regard to ECDSA keys
CVE-2026-35414: Fix mishandling of authorized_keys principals option
CVE-2026-35386: Add validation rules to usernames and hostnames set for
ProxyJump/-J on the commandline
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 17 2026 Zoltan Fridrich [zfridric@redhat.com] - 10.0p1-9
- CVE-2026-35385: Fix privilege escalation via scp legacy protocol
when not in preserving file mode
Resolves: rhbz#2454941
- CVE-2026-35388: Add connection multiplexing confirmation for proxy-mode
multiplexing sessions
Resolves: rhbz#2454951
- CVE-2026-35387: Fix incomplete application of PubkeyAcceptedAlgorithms
and HostbasedAcceptedAlgorithms with regard to ECDSA keys
Resolves: rhbz#2454944
- CVE-2026-35414: Fix mishandling of authorized_keys principals option
Resolves: rhbz#2454943
- CVE-2025-61985: Reject URL-strings with NULL characters
- CVE-2025-61984, CVE-2026-35386: Reject usernames with control characters
Resolves: rhbz#2454961
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2454941 - CVE-2026-35385 openssh: OpenSSH: Privilege escalation via scp legacy protocol when not preserving file mode [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454941
[ 2 ] Bug #2454943 - CVE-2026-35414 openssh: OpenSSH: Security bypass via mishandling of authorized_keys principals option [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454943
[ 3 ] Bug #2454944 - CVE-2026-35387 openssh: OpenSSH: Information disclosure due to unintended cryptographic algorithm usage [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454944
[ 4 ] Bug #2454951 - CVE-2026-35388 openssh: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454951
[ 5 ] Bug #2454961 - CVE-2026-35386 openssh: OpenSSH: Arbitrary command execution via shell metacharacters in username [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454961
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2cedc95af8' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: mingw-python3-3.11.15-4.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-43577dc43b
2026-04-28 00:55:52.209260+00:00
--------------------------------------------------------------------------------

Name : mingw-python3
Product : Fedora 43
Version : 3.11.15
Release : 4.fc43
URL : https://www.python.org/
Summary : MinGW Windows python3
Description :
MinGW Windows python3

--------------------------------------------------------------------------------
Update Information:

Backport fix for CVE-2026-4786.
Backport fixes for CVE-2026-6100, CVE-2026-3479, CVE-2026-1502
--------------------------------------------------------------------------------
ChangeLog:

* Sat Apr 18 2026 Sandro Mani [manisandro@gmail.com] - 3.11.15-4
- Backport fix for CVE-2026-4786
* Tue Apr 14 2026 Sandro Mani [manisandro@gmail.com] - 3.11.15-3
- Backport fixes for CVE-2026-6100, CVE-2026-3479, CVE-2026-1502
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2449254 - CVE-2026-3479 mingw-python3: Python pkgutil.get_data(): Path Traversal via improper resource argument validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2449254
[ 2 ] Bug #2457939 - CVE-2026-1502 mingw-python3: Python: HTTP header injection via CR/LF in proxy tunnel headers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457939
[ 3 ] Bug #2458011 - CVE-2026-6100 mingw-python3: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458011
[ 4 ] Bug #2458219 - CVE-2026-4786 mingw-python3: Python: Arbitrary code execution via command injection in webbrowser.open() API [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458219
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-43577dc43b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: xrdp-0.10.6-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-9417ff0bc5
2026-04-28 00:55:52.209245+00:00
--------------------------------------------------------------------------------

Name : xrdp
Product : Fedora 43
Version : 0.10.6
Release : 1.fc43
URL : http://www.xrdp.org/
Summary : Open source remote desktop protocol (RDP) server
Description :
xrdp provides a fully functional RDP server compatible with a wide range
of RDP clients, including FreeRDP and Microsoft RDP client.

--------------------------------------------------------------------------------
Update Information:

Security fixes
CVE-2026-32105
CVE-2026-32107
CVE-2026-32623
CVE-2026-32624
CVE-2026-33145
CVE-2026-33516
CVE-2026-33689
CVE-2026-35512
New features
Support for xorgxrdp bug fixes #249 and #342 (#3721)
Bug fixes
Honour pass_shell_as_env setting only if user sets a shell (#3725)
We no longer try to create a NULL authentication file when using VNC over UDS
(#3727)
Problems with the Brazilian ABNT2 keyboard mapping have been corrected (#3728
3736)
A 'file exists' error when installing xrdp over an existing installation has
been addressed (#3780)
--------------------------------------------------------------------------------
ChangeLog:

* Sat Apr 18 2026 Bojan Smojver [bojan@rexursive.com] - 1:0.10.6-1
- Update to 0.10.6
- CVE-2026-32105, CVE-2026-32107, CVE-2026-32623, CVE-2026-32624
- CVE-2026-33145, CVE-2026-33516, CVE-2026-33689, CVE-2026-35512
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2459298 - CVE-2026-32105 xrdp: xrdp: Data integrity compromised due to missing MAC signature verification in Classic RDP Security [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459298
[ 2 ] Bug #2459302 - CVE-2026-32107 xrdp: xrdp: Privilege Escalation via improper privilege management [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459302
[ 3 ] Bug #2459616 - CVE-2026-33145 xrdp: xrdp: Arbitrary Command Execution via unsafe handling of AlternateShell parameter [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459616
[ 4 ] Bug #2459618 - CVE-2026-32623 xrdp: xrdp NeutrinoRDP: Remote Code Execution or Denial of Service via heap-based buffer overflow in fragmented RDP data handling [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459618
[ 5 ] Bug #2459620 - CVE-2026-35512 xrdp: xrdp: Remote Code Execution via heap-based buffer overflow [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459620
[ 6 ] Bug #2459621 - CVE-2026-33516 xrdp: xrdp: Denial of Service and Information Disclosure via specially crafted RDP message [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459621
[ 7 ] Bug #2459623 - CVE-2026-33689 xrdp: xrdp: Denial of Service and Information Disclosure via Out-of-Bounds Read [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459623
[ 8 ] Bug #2459625 - CVE-2026-32624 xrdp: xrdp: Denial of Service via crafted username and domain name [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2459625
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-9417ff0bc5' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new



[SECURITY] Fedora 43 Update: python3.11-3.11.15-4.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-952616f3d6
2026-04-28 00:55:52.209227+00:00
--------------------------------------------------------------------------------

Name : python3.11
Product : Fedora 43
Version : 3.11.15
Release : 4.fc43
URL : https://www.python.org/
Summary : Version 3.11 of the Python interpreter
Description :
Python 3.11 is an accessible, high-level, dynamically typed, interpreted
programming language, designed with an emphasis on code readability.
It includes an extensive standard library, and has a vast ecosystem of
third-party libraries.

The python3.11 package provides the "python3.11" executable: the reference
interpreter for the Python language, version 3.
The majority of its standard library is provided in the python3.11-libs package,
which should be installed automatically along with python3.11.
The remaining parts of the Python standard library are broken out into the
python3.11-tkinter and python3.11-test packages, which may need to be installed
separately.

Documentation for Python is provided in the python3.11-docs package.

Packages containing additional libraries for Python are generally named with
the "python3.11-" prefix.

--------------------------------------------------------------------------------
Update Information:

Security fixes for CVE-2026-1502, CVE-2026-4786, CVE-2026-6100, CVE-2026-2297,
CVE 2026-3644, CVE-2026-4224
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 17 2026 Charalampos Stratakis [cstratak@redhat.com] - 3.11.15-4
- Security fixes for CVE-2026-1502, CVE-2026-4786, CVE-2026-6100, CVE-2026-2297, CVE 2026-3644, CVE-2026-4224
Resolves: rhbz#2457941, rhbz#2458221, rhbz#2458013, rhbz#2444704, rhbz#2448188, rhbz#2448204
* Sat Apr 11 2026 Miro Hron??ok [mhroncok@redhat.com] - 3.11.15-3
- Explicitly build with OpenSSL 3
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2444704 - CVE-2026-2297 python3.11: CPython: Logging Bypass in Legacy .pyc File Handling [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2444704
[ 2 ] Bug #2448188 - CVE-2026-3644 python3.11: Incomplete control character validation in http.cookies [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2448188
[ 3 ] Bug #2448204 - CVE-2026-4224 python3.11: Stack overflow parsing XML with deeply nested DTD content models [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2448204
[ 4 ] Bug #2457941 - CVE-2026-1502 python3.11: Python: HTTP header injection via CR/LF in proxy tunnel headers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457941
[ 5 ] Bug #2458013 - CVE-2026-6100 python3.11: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458013
[ 6 ] Bug #2458221 - CVE-2026-4786 python3.11: Python: Arbitrary code execution via command injection in webbrowser.open() API [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458221
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-952616f3d6' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------



[SECURITY] Fedora 43 Update: libcoap-4.3.5b-1.fc43


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-0ce923a09d
2026-04-28 00:55:52.209207+00:00
--------------------------------------------------------------------------------

Name : libcoap
Product : Fedora 43
Version : 4.3.5b
Release : 1.fc43
URL : https://libcoap.net/
Summary : C library implementation of CoAP
Description :
The Constrained Application Protocol (CoAP) is a specialized web transfer
protocol for use with constrained nodes and constrained networks in the Internet
of Things. The protocol is designed for machine-to-machine (M2M) applications
such as smart energy and building automation.

libcoap implements a lightweight application-protocol for devices with
constrained resources such as computing power, RF range, memory, bandwidth,
or network packet sizes. This protocol, CoAP, was standardized in the IETF
working group "CoRE" as RFC 7252.

--------------------------------------------------------------------------------
Update Information:

Update to 4.3.5b
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 17 2026 Peter Robinson [pbrobinson@gmail.com] - 4.3.5b-1
- Update to 4.3.5b
* Fri Jan 16 2026 Fedora Release Engineering [releng@fedoraproject.org] - 4.3.5a-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2459331 - CVE-2026-29013 libcoap: libcoap: Memory corruption and denial of service via crafted CoAP requests
https://bugzilla.redhat.com/show_bug.cgi?id=2459331
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-0ce923a09d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new


Mbedtls, Libde265, OpenJDK updates for Debian

OpenJDK, Grafana, Buildah, Systemd, Go updates for Oracle Linux

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...